From 04b72f6d6ea6628f633d146f6d346b351c2b54a4 Mon Sep 17 00:00:00 2001 From: gaozhekang Date: Wed, 4 Nov 2020 16:48:55 +0800 Subject: [PATCH] src: avoid OOB read in URL parser This is not a big concern, because right now, all (non-test) inputs to the parser are `'\0'`-terminated, but we should be future-proof here and not perform these OOB reads. --- nodejs.spec | 6 +- src-avoid-OOB-read-in-URL-parser.patch | 79 ++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 src-avoid-OOB-read-in-URL-parser.patch diff --git a/nodejs.spec b/nodejs.spec index 6b1e6f8..f7e262b 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -6,7 +6,7 @@ %global nodejs_patch 0 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 4 +%global nodejs_release 5 %global v8_major 6 %global v8_minor 8 @@ -45,6 +45,7 @@ Patch0003: CVE-2018-12122.patch Patch0004: CVE-2019-5737.patch Patch0005: CVE-2018-12121.patch Patch0006: CVE-2018-12123.patch +Patch0007: src-avoid-OOB-read-in-URL-parser.patch BuildRequires: gcc gcc-c++ openssl-devel BuildRequires: http-parser-devel @@ -221,6 +222,9 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %doc %{_mandir}/man1/node.1* %changelog +* Wed Nov 04 2020 gaozhekang - 1:10.11.0-5 +- avoid OOB read in URL parser + * Sun Sep 20 2020 zhangtao - 1:10.11.0-4 - Fix CVE-2018-12121 CVE-2018-12123 diff --git a/src-avoid-OOB-read-in-URL-parser.patch b/src-avoid-OOB-read-in-URL-parser.patch new file mode 100644 index 0000000..6108a39 --- /dev/null +++ b/src-avoid-OOB-read-in-URL-parser.patch @@ -0,0 +1,79 @@ +From 4cb8fa4aa5dea72bc66ea950e3fc193385bb7175 Mon Sep 17 00:00:00 2001 +From: gaozhekang +Date: Wed, 4 Nov 2020 11:12:53 +0800 +Subject: [PATCH] src: avoid OOB read in URL parser + +This is not a big concern, because right now, all (non-test) inputs +to the parser are `'\0'`-terminated, but we should be future-proof +here and not perform these OOB reads. + +--- + src/node_url.cc | 6 +++--- + test/cctest/test_url.cc | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/src/node_url.cc b/src/node_url.cc +index 7bfcde5..41492b1 100644 +--- a/src/node_url.cc ++++ b/src/node_url.cc +@@ -1487,7 +1487,7 @@ void URL::Parse(const char* input, + state = kSpecialRelativeOrAuthority; + } else if (special) { + state = kSpecialAuthoritySlashes; +- } else if (p[1] == '/') { ++ } else if (p + 1 < end && p[1] == '/') { + state = kPathOrAuthority; + p++; + } else { +@@ -1547,7 +1547,7 @@ void URL::Parse(const char* input, + } + break; + case kSpecialRelativeOrAuthority: +- if (ch == '/' && p[1] == '/') { ++ if (ch == '/' && p + 1 < end && p[1] == '/') { + state = kSpecialAuthorityIgnoreSlashes; + p++; + } else { +@@ -1695,7 +1695,7 @@ void URL::Parse(const char* input, + break; + case kSpecialAuthoritySlashes: + state = kSpecialAuthorityIgnoreSlashes; +- if (ch == '/' && p[1] == '/') { ++ if (ch == '/' && p + 1 < end && p[1] == '/') { + p++; + } else { + continue; +diff --git a/test/cctest/test_url.cc b/test/cctest/test_url.cc +index ddef534..810cbc2 100644 +--- a/test/cctest/test_url.cc ++++ b/test/cctest/test_url.cc +@@ -80,6 +80,26 @@ TEST_F(URLTest, Base3) { + EXPECT_EQ(simple.path(), "/baz"); + } + ++TEST_F(URLTest, TruncatedAfterProtocol) { ++ char input[2] = { 'q', ':' }; ++ URL simple(input, sizeof(input)); ++ ++ EXPECT_FALSE(simple.flags() & URL_FLAGS_FAILED); ++ EXPECT_EQ(simple.protocol(), "q:"); ++ EXPECT_EQ(simple.host(), ""); ++ EXPECT_EQ(simple.path(), "/"); ++} ++ ++TEST_F(URLTest, TruncatedAfterProtocol2) { ++ char input[6] = { 'h', 't', 't', 'p', ':', '/' }; ++ URL simple(input, sizeof(input)); ++ ++ EXPECT_TRUE(simple.flags() & URL_FLAGS_FAILED); ++ EXPECT_EQ(simple.protocol(), "http:"); ++ EXPECT_EQ(simple.host(), ""); ++ EXPECT_EQ(simple.path(), ""); ++} ++ + TEST_F(URLTest, ToFilePath) { + #define T(url, path) EXPECT_EQ(path, URL(url).ToFilePath()) + T("http://example.org/foo/bar", ""); +-- +2.23.0 + -- Gitee